Information Disclosure in FOSSBilling Affects Multiple Versions
CVE-2026-40495

6.9MEDIUM

Key Information:

Vendor: Fossbilling
Status: Fossbilling
Vendor: CVE Published:; 3 June 2026

🔔 Create Fossbilling Vulnerability Alert

What is CVE-2026-40495?

FOSSBilling, an open-source billing and client management system, is affected by a vulnerability in versions prior to 0.8.0, which allows the exact system version to be disclosed via asset cache buster parameters in HTML output. When the script_tag and stylesheet_tag Twig filters generate content, the specific version is embedded in the query string of every corresponding <script> and <link> tag. This leak occurs regardless of the hide_version_public security setting, exposing detailed version information to all users, including unauthenticated guests. While some HTTP headers and API endpoints honor the hide_version_public setting properly, the asset cache buster parameters do not, presenting an added risk. This disclosure can significantly ease the efforts of malicious actors aiming to exploit known vulnerabilities associated with specific versions, undermining the protective intentions of the hide_version_public setting. The vulnerability was addressed in version 0.8.0, and there is no viable workaround without altering the source code.

Affected Version(s)

FOSSBilling < 0.8.0

References

https://github.com/FOSSBilling/FOSSBilling/security/advis...

x_refsource_CONFIRM

https://github.com/FOSSBilling/FOSSBilling/releases/tag/0...

x_refsource_MISC

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 3, 2026
Vulnerability Reserved
Apr 13, 2026

CVE-2026-40495 Data

JSON